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^ ' This paper introduces quantum analogues of non-interactive perfect and statistical zero- 

00 . knowledge proof systems. Similar to the classical cases, it is shown that sharing randomness or 

lO ' entanglement is necessary for non-trivial protocols of non-interactive quantum perfect and statis- 

tical zero-knowledge. It is also shown that, with sharing EPR pairs a priori, the class of languages 
having one-sided bounded error non-interactive quantum perfect zero-knowledge proof systems has 
a natural complete problem. Non-triviality of such a proof system is based on the fact proved 
■ in this paper that the Graph Non- Automorphism problem, which is not known in BQP, can be 

reduced to our complete problem. Our results may be the first non-trivial quantum zero-knowledge 
proofs secure even against dishonest quantum verifiers, since our protocols are non-interactive, and 
thus the zero-knowledge property does not depend on whether the verifier in the protocol is honest 
pH . or not. A restricted version of our complete problem derives a natural complete problem for BQP. 

^ . 

O^' 1 Introduction 



Zero-knowledge proof systems were introduced by Goldwasser, Micali, and Rackoff [12| and have been 
studied extensively from both complexity theoretical and cryptographic viewpoints. Because of their 
I wide applicability in the domain of classical communication and cryptography, quantum analogue of 
zero-knowledge proof systems is expected to play very important roles in the domain of quantum 
communication and cryptography. 

Very recently Watrous proposed a formal model of quantum statistical zero-knowledge proof 
systems. To our knowledge, his model is the only one for a formal model of quantum zero-knowledge 
proofs, although he only considers the case with an honest verifier. The reason why he only considers 
the case with an honest verifier seems to be that even his model may not give a cryptographically 
satisfying definition for quantum statistical zero-knowledge when the honest verifier assumption is 
absent. Indeed, generally speaking, difficulties arise when we try to define the notion of quantum zero- 
knowledge against cheating verifiers by extending classical definitions of zero-knowledge in the most 



straightforward ways. See [13| for a discussion of such difficulties in security of quantum protocols. 
Nevertheless, the model of quantum statistical zero- knowledge proofs by Watrous is natural and 
reasonable at least in some restricted situations. One of such restricted situations is the case with 
an honest verifier, which was discussed by Watrous himself. Another situation is the case of non- 
interactive protocols, which this paper treats. 
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Classical version of non-interactive zero-knowledge proof systems was introduced by Blum, Feld- 
man, and Micali IH, and was later studied by a number of works ||5|, 16, |^, 0, |2^. Such non- 

interactive proof systems put an assumption that a verifier and a prover share some random string, and 
it is known that sharing randomness is necessary for non-trivial protocols (i.e. protocols for languages 
beyond BPP) of non-interactive quantum zero-knowledge proofs As for non-interactive statistical 
zero-knowledge proof systems, De Santis, Di Crescenzo, Persiano, and Yung showed an existence of 
a complete promise problem for the class NISZK of languages having non- interactive statistical zero- 
knowledge proof systems. Goldreich, Sahai, and Vadhan showed another two complete promise 
problems for NISZK, namely the Entropy Approximation (EA) problem and the Statistical Difference 
from Uniform (SDU) problem, from which they derived a number of properties of NISZK such as 
evidence of non-triviality of the class NISZK. 

This paper focuses on quantum analogues of non-interactive perfect and statistical zero-knowledge 
proof systems. The notion of quantum zero-knowledge used in this paper is along the lines de- 
fined by Watrous [21|. First, similar to the classical cases, it is shown that sharing randomness or 
entanglement is necessary for non-trivial protocols (i.e. protocols for languages beyond BQP) of non- 
interactive quantum perfect and statistical zero-knowledge. Next, it is shown that, with sharing EPR 
pairs a priori, the class of languages having one-sided bounded error non-interactive quantum perfect 
zero-knowledge proof systems has a natural complete promise problem, which we call the Quantum 
State Closeness to Identity ( QSCI) problem, informally described as follows: given a description of a 
quantum circuit Q, is the output qubits of Q is maximally entangled to the non-output part or is it far 
from that? Note that our QSCI problem may be viewed as a quantum variant of the SDU problem, 
which is shown NISZK-complete by Goldreich, Sahai, and Vadhan However, our proof for the 
completeness of the QSCI problem is quite different from their proof for the classical case at least 
in the following two senses: (i) the completeness of the QSCI problem is shown in a direct manner, 
while that of the classical SDU problem was shown by using other complete problems such as the 
EA problem, and (ii) our proof for the completeness result is rather quantum information theoreti- 
cal. Using our complete problem, it is straightforward to show that the Graph Non-Automorphism 
(GNA) problem (or sometimes called the Rigid Graphs problem) has a non-interactive quantum per- 
fect zero-knowledge proof system of perfect completeness. Since the GNA problem is not know in 
BQP, this gives an evidence of non-triviality of our proof systems. One of the merits of consider- 
ing non-interactive models is that the zero-knowledge property in non-interactive protocols does not 
depend on whether the verifier in the protocol is honest or not. Thus, our results may be the first 
non-trivial quantum zero-knowledge proofs secure even against dishonest quantum verifiers. It is also 
shown that a restricted version of our complete problem derives a natural complete problem for BQP. 

The remainder of this paper is organized as follows. In Section || we give formal definitions of non- 
interactive quantum statistical and perfect zero- knowledge proof systems, and introduce the Quantum 
State Closeness to Identity problem. In Section ^ we show the necessity of sharing randomness or 
entanglement for non-trivial protocols of non-interactive quantum zero-knowledge. In Section |^ we 
show our main result of completeness and its applications. Finally, we conclude with Section |5|, 
which mentions our conjectures on non-interactive quantum zero- knowledge proofs. Familiarity with 
the basics of quantum computation and information theory as well as classical zero-knowledge proof 
systems is assumed throughout this paper. See |14, ^ for the basics of quantum computation and 
information theory and 0, ^ for those of classical zero- knowledge proof systems. 



2 Definitions 

2.1 Quantum Circuits and Polynomial-Time Preparable Sets of Quantum States 

A family {Qx} of quantum circuits is said to be polynomial-time uniformly generated if there exists 
a classical deterministic procedure that, on each input x, outputs a description of Qx and runs in 
time polynomial in n = For simplicity, we assume that all input strings are over the alphabet 
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S = {0, 1}. It is assumed that the quantum circuits in such a family are composed of gates in some 
reasonable, universal, finite set of quantum gates such as the Shor basis. Furthermore, it is assumed 
that the number of gates in any circuit is not more than the length of the description of that circuit, 
therefore Qx must have size polynomial in n. For convenience, in the subsequent sections, we often 
identify a circuit Qx with the unitary operator it induces. 

It should be mentioned that to permit non-unitary quantum circuits, in particular, to permit 
measurements at any timing in the computation does not change the computational power of the model 
of quantum circuits in view of time complexity. See ||^] for a detailed description of the equivalence of 
the unitary and non- unitary quantum circuit models. 

Given a collection {p^} of mixed states, let us say that the collection is polynomial-time preparable 
if there exists a polynomial-time uniformly generated family {Qx} of quantum circuits such that, for 
every x of length n, (i) Qx is a quantum circuit over q{n) qubits for some polynomially bounded 
function q: — > N, and (ii) for the pure state QxlO''^"^), the first Qoutin) qubits of it is in the mixed 
state px when tracing out the rest q{n) — qout{n) qubits, where gout '■ '^'^ — > N is a polynomially bounded 
function satisfying gout < Q- In the above description, the collection of the first goutl^^) qubits may 
be regarded as an output, and thus we also say that such a family {Qx} of quantum circuits is q-in 
qout-out. 

2.2 Non-Interactive Quantum Statistical Zero-Knowledge with Shared EPR-Pairs 

Here we give a definition of non-interactive quantum statistical (and perfect) zero-knowledge proof 
systems in which the verifier and the prover share EPR-pairs prior to the protocol. 

Similar to quantum statistical zero- knowledge proof systems [^], we define non-interactive quan- 
tum statistical zero- knowledge proof systems in terms of quantum circuits. 

For each input x S S* of length n = \x\, the entire system of a non-interactive quantum statistical 
zero-knowledge proof consists of q{n) = qv{n) + QMi^) + Qvin-) qubits, where qvin) is the number of 
qubits that are private to a verifier V, qv{n) is the number of qubits that are private to a prover P, 
and qMi'iT') is the number of message qubits sent from P to V. Furthermore, it is assumed that the 
verifier V and the prover P shares EPR pairs a priori among their private qubits. Let qs{n) be the 
number of the EPR pairs shared by V and P. It is also assumed that gy, qj^, and g^ are polynomially 
bounded functions. Let q\;- = qv — Qs and g-p_ = q-p — qs- 

A {q-\;,qM)-'^^stricted quantum verifier y is a polynomial-time computable mapping of the form 
y : S* ^ S*, where S = {0, 1} is the alphabet set. V receives a message of at most qM{^) qubits from 
the prover, and uses at most qv{n) qubits for his private space, including qubits of shared EPR pairs. 
For each input x G S* of length n = \x\, V{x) is interpreted as a description of a polynomial-time 
uniformly generated quantum circuit acting on qvin) + gx(ra) qubits. One of the private qubits of 
the verifier is designated as the output qubit. 

A {q/^,q-p) -restricted quantum prover P is a mapping of the form P: T,* ^ S*. P uses at most 
gp(n) qubits for his private space, including qubits of shared EPR pairs, and sends a message of at 
most gxC'^) qubits to the verifier. For each input x £ S*, = n, P{x) is interpreted as a description 
of a quantum circuit acting on qM{^) + Qvi'i^-) qubits. No restrictions are placed on the complexity of 
the mapping P (i.e., each P{x) can be an arbitrary unitary transformation). 

A {q\;,qMiQ'p)-^sstricted non-interactive quantum proof system consists of a (gy, gyn) -restricted 
quantum verifier V and a (qMi g-p)-restricted quantum prover P. Let V = l2{'^^^), M. = l2{'^'^^), and 

V = 12^'^''^) denote the Hilbert spaces corresponding to the private qubits of the verifier, the message 
qubits between the verifier and the prover, and the private qubits of the prover, respectively. We 
say that a (gy, gx, g-p)-restricted non-interactive quantum proof system is qs-shared-EPR-pairs if, for 
every input x of length n, there are qs{n) copies of the EPR pair (|00) -|- |ll))/\/2 that are initially 
shared by the verifier and the prover. Let Vs = l2{'^'^^) and Vs = l2{'^'^^) denote the Hilbert spaces 
corresponding to the verifier and the prover parts of these shared EPR pairs, respectively, and write 

V = V5 and V = V-g (8> Vs- It is assumed that all the qubits in V;^, A^, and V-g are initialized to 
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the |0)-states. 

Given a verifier V, a provcr P, and an input x of lengtli n, define a circuit {P{x), V(x)) acting on 
q{n) qubits to be the one applying P{x) to M. (E)V and V{x) to V ^ M in sequence. 

The probabihty that the (P, V) accepts x is defined to be the probability that an observation of 
the output qubit in the basis of {|0),|1)} yields |1), after the circuit {P{x),V{x)) is applied to the 
initial state iV'init)- 

In what follows, the circuits P{x) and V{x) of prover and verifier may be simply denoted by P 
and V, respectively, if it is not confusing. We also use the notation D(7^) for the set of mixed states 
inn. 

First we define the class NlQSZK{q\>,qM,qp,qs,a,b) of languages having (gv, <?'p)-restricted 
g^-shared-EPR-pairs non-interactive quantum statistical zero-knowledge proof systems with error 
probabilities a and b in completeness and soundness sides, respectively. 

Definition 1 Given polynomially bounded functions qy, q^i Qs '■ N and a junction q-p : Z"*" — > N, 

and functions a,b: Z+ [0,1], let NIQSZK(gvj 9A^; 95) ^0 denote the class of languages L for 
which there exists a {qy^qM) -restricted quantum verifier V such that, for every input x of length n, 

(i) Completeness: 

if x £ L, there exists a {qj^, q-p) -restricted quantum prover P such that {P,V) accepts x with 
probability at least a{n), 

(a) Soundness: 

if X ^ L, for any {qM, Qv) -restricted quantum prover P' , {P' ,V) accepts x with probability at 
most b{n), 

(Hi) Zero-Knowledge: 

there exists a polynomial-time preparable set {(Tx\ of mixed states of q\>{n) -\- qMi^i) qubits such 
that, if X E L, 

||(7a; - trp(P|V'i„it)(V'init|P^)||tr < S{n) 

for an honest prover P and some negligible function S (i.e., S{n) < l/p{n) for sufficiently large 
n for all polynomials p). 

We say that a language L is in NIQSZK(o, b) in short if there exist some polynomially bounded 
functions qiy, qMi ^'^d qs such that L is in NIQSZK(gv, QM^QV^ QS, b) for any function qp. 

Similarly, we define the class 'NlQPZK{q\;,qj^,qp,qs,a,b) of languages having {qviQAA^Qv)- 
restricted gr^-shared-EPR-pairs non-interactive quantum perfect zero-knowledge proof systems with 
error probabilities a and b in completeness and soundness sides, respectively. 

Definition 2 Given polynomially bounded functions q\; , qj^ , qg : Z+ N and a function qp : Z+ — > N, 
and functions a,b: Z+ — > [0,1], let NlQPZK{q\;,q_\4,q-p,qs,a,b) denote the class of languages L for 
which there exists a {qy, qM) -restricted quantum verifier V such that, for every input x of length n, 

(i) Completeness: 

if X £ L, there exists a {qM,Qv) -restricted quantum prover P such that {P,V) accepts x with 
probability at least a{n), 

(ii) Soundness: 

if X ^ L, for any (qM^Qp) -restricted quantum prover P' , {P',V) accepts x with probability at 

most b{n), 

(Hi) Zero-Knowledge: 

there exists a polynomial-time preparable set {ctx} of mixed states of q\;{n) + qM^rt) qubits such 
that, if X E L, ax exactly coincides with tr-p(P|^init)(V'init|-P^)- 
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As is the statistical zero-knowledge case, we say that a language L is in NIQPZK(a, h) in 
short if there exist some polynomially bounded functions gv, Qm-, ^-^d qs such that L is in 
NIQPZK((7v5 QMi QVi Qs, fl) b) for any function qp. 

Note that, similar to the QMA case, parallel repetition of non-interactive quantum statistical (or 
perfect) zero-knowledge proof systems can reduce completeness and soundness errors to be exponen- 
tially small while preserving the zero-knowledge property. 



2.3 Variants of Quantum State Distinguishability Problem 

This paper focuses on the following promise problems, all of which are parameterized by constants a 
and P satisfying < a < (3 < 1. 

First we review the (a, /3)-Quantum State Distinguishability ((a,/3)-QSD) problem, which was 
introduced and shown to be HVQSZK-complete (for any < q < < 1) by Watrous (^Tj. Note that 
this problem can be regarded as a quantum analogue of the Statistical Difference problem [^] , which 
is HVSZK-complete (and thus SZK-complete from the result HVSZK = SZK jl^ shown later). 



(a, /3)-Quantum State Distinguishability ((a, /3)-QSD) 

Input: Descriptions of quantum circuits Qq and Qi, each acting over the Hilbert space 
Tiin = 'Hout ® "^Hut 5 where TLia consists of qubits and TLout consists of (/out < ^in 
qubits. 

Promise: Letting pi = tr7^_(Qi|0«i")(0*"|Q|) for i = 0, 1, we have either one of the following 
two: 

(a) ll/Oo - Pilltr < a, 

(b) Wpq - pilltr > /?■ 

Output: Accept if ||po — Pilltr > (3, and reject if \\pQ — pi\\tr < a. 



Note that the complement of (a,/3)-QSD, which we call (a, (3) -Quantum State Closeness ({a,(3)- 
QSC) problem, is also HVQSZK-complete, as shown by Watrous [21|. 

Next we introduce (a, fi)- Quantum State Closeness to Identity ({a, (3)-QSCI) problem, which is 
a restricted version of the (a, /3)-QSC problem. Later (0, /3)-QSCI problem will be shown to be 
NIQPZK(1, 6)-complete for any < /3 < 1 and any bounded error probability b. Note that this problem 
can be regarded as a quantum analogue of the Statistical Difference from Uniform Distribution (SDU) 
problem |11], which is NISZK-complete. 



(a, /3)-Quantum State Closeness to Identity ((a, /3)-QSCI) 

Input: A description of a quantum circuit Q acting over the Hilbert space Hia = "^^out 'SD'^^Sut > 

where TL\a consists of gin qubits and TLout consists of Qout < Q\n qubits. 
Promise: Letting p = tr7.^_(Q|0«'")(0«i"|(5t)^ 

we have either one of the following two: 

(a) ||/9-I/29-'||tr < a, 

(b) ||p-//2'?°-||te >/3. 

Output: Accept if ||p - 1/2'^°"* ||tr < a, and reject if \\p - 1/2'^°"* ||tr > (3- 



Putting restrictions on the number of output qubits of the quantum circuits given as input yields 
the following two promise problems, both of which will be shown to be BQP-complete. 
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(a,/3)-0ne Qubit Quantum State Distinguishability ((a, /3)-lQSD) 

Input: Descriptions of quantum circuits Qq and Qi, each acting over the Hilbert space 
Win = "Wout "SD where "Hin consists of gin qubits and Wout consists of a single 

qubit. 

Promise: Letting pi = tr7T:_(Qi|0''i")(0«i"|(5|) for i = 0, 1, we have either one of the following 
two: 

(a) \\po - Pilltr < a, 

(b) \\po - pilltr > /?■ 

Output: Accept if \\po — pi\\tr > P, and reject if \\pQ — pi\\tr < a. 



(a,/3)-0ne Qubit Quantum State Closeness to Identity ((a, /3)-lQSCI) 

Input: A description of a quantum circuit Q acting over the Hilbert space Win = Wout^^W^, 

where Win consists of gin qubits and Wout consists of a single qubit. 
Promise: Letting p = trH_(Q|0«i")(0''i"|Qt), 

we have either one of the following two: 

(a) ||p-I/2||to <a, 

(b) ||p-//2||tr >/3. 

Output: Accept if \\p — //2||tr < a, and reject if \\p — //2||tr > P- 



3 Necessity of Shared Randomness or Shared Entanglement 

First, similar to the classical cases it is shown that sharing randomness or entanglement is necessary 
for non-trivial protocols of non-interactive quantum perfect and statistical zero-knowledge. 

Theorem 3 Without shared randomness nor shared entanglement, any language having non- 
interactive quantum perfect or statistical zero-knowledge proofs is necessarily in BQP. 

Proof. It is sufficient to show that, without shared randomness nor shared entanglement, 
NIQSZK(3/4, 1/4) is in BQP. 

Let L be a language having an NIQSZK(3/4, 1/4) protocol without shared randomness nor shared 
entanglement. Let V be the corresponding honest quantum verifier and {cr^} be the corresponding 
polynomial-time preparable set of mixed states. For every input x, consider the following polynomial- 
time quantum algorithm: 

1. Prepare ax in a quantum register R. 

2. Apply V{x) to R to have a state V{x)axV{x)^ . 

3. Accept iff the contents of R correspond to ones that make the original verifier V accept. 

(i) In the case a; is in L: 

From the zero-knowledge property of the original protocol, the difference between ax and the 
state received from the honest prover is negligible. Thus, the input x is accepted by the algorithm 
above with probability more than 2/3. 



6 



(ii) In the case x is not in L: 

Prom the soundness property of the original protocol, whatever state the honest verifier V 
receives from the prover, V accepts the input x with probability at most 1/4. In particular, if 
the honest verifier V receives ax from the prover, V accepts the input x with probability at most 
1/4. Thus, the input x is accepted by the algorithm above with probability at most 1/4 (less 
than 1/3). 

□ 



4 Completeness Results and their Applications 
4.1 NIQPZK(1, 1 /2)-Completeness of (0, /3)-QSCI 

Here we show that the (0, /3)-QSCI problem is NIQPZK(1, l/2)-complete, that is, complete for the 
class of languages having non-interactive quantum perfect zero-knowledge proof systems of perfect 
completeness. While our result is closely related to the classical result by Goldreich, Sahai, and 



Vadhan [11|, the proofs adopted in this paper are rather quantum information theoretical. 

The proof of Lemma ^ below uses the following well-known property in quantum information 
theory. 



Theorem 4 |l5|) Let G satisfy trH2l</')(</'| = tr^2|V')(V'|- Then there is a 

unitary transformation U over 7i2 such that [I-j-ii ® = IV'); where I-Hi is the identity operator 

over Til. 



Lemma 5 {0,p)-QSCI is in NIQPZK(1, 1/2) for any < (3 < 1. 

Proof. Let Q be a quantum circuit of the (0, /3)-QSCI, which is q-in Qout-out. Running 0(n) copies of 
Q in parallel for n exceeding the length of the input Q constructs a quantum circuit R of q'-in (/oufOut 
that outputs the associated mixed state ^ of q'^^^ qubits and ^ is either 1/2"^°"' or the one such that 
11^ _ //29out 11^^ is arbitrary close to 1, say ||C - I/2«°"' ||tr > 1 - 2~". 

We construct a (^outi ~9out) ^•p)-i'estricted non-interactive quantum perfect zero-knowledge proof 
system of gQ^^-shared-EPR-pairs. Consider the (^ouf'?' ~ gout)-restricted quantum verifier V. Let the 
quantum registers M and S consist of the message qubits and qubits in the verifier part of the shared 
EPR pairs, respectively. The verification procedure of the verifier is as follows: 

1. Receive a message in M from the prover. 

2. Apply R} on the pair of quantum registers (M, S). 

3. Accept if (M, S) contains 0"^', otherwise reject. 

For the completeness, suppose that ^ = 1/2'^°"*. Note that the pure state 10) = (i?|09 )) |09P) of 
q' + q-p qubits is a purification of ^. Since the initial state iV'init) G V <^ Ai <Si V oi q' + q-p qubits is a 
purification of //2''out and ^ = //2'^out , from Theorem ^, there exists a unitary transformation P over 
M®V such that 

(I®P)|^init) = \<t^). 

Therefore, 

(i?t®/)(/®P)|^i„it) = |0«'+«^). 
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Thus V accepts the input with certainty. 

For the soundness, suppose that ||^ — //2'^°ut||tr > 1 — 2~". Then, for any unitary transformation 
P' over M^V, letting {ijj) = (/ (g) P')lV'init), we have 

||trp|<^)(</>|-trp|V^)(V^|||tr>l-2-", 

since trjVi(tr-p| (;/!))( 01) = ^ and trx(tr-p|'0)(i/'|) = 7/25out. Therefore we have, 

|||0«')(0^'|-^^(trp|V')(V'|)i?||tr>l-2-" 

Thus the probabihty that V accepts the input is neghgible. 

Finahy, the zero-knowledge property is obvious, because i?|0'^ )(0'^ = trp((I(8)P)|'i/'init)(V'init|(-^® 
P^)) is polynomial-time preparable. □ 

Lemma 6 For any promise problem L G NIQPZK(1, 1/2), there is a polynomial-time deterministic 
procedure that reduces L to the {0, l3)-QSCI problem for < /3 < 1. 

Proof. Let L be in NIQPZK(1, 1/2). Then from the fact that parallel repetition works well for 
non-interactive quantum perfect zero-knowledge proof systems, for any function q-p : Z"*" N, L has 

8- (^V, (?A4) ^•p)"restricted g^-shared-EPR-pairs non-interactive quantum perfect zero-knowledge proof 
system of perfect completeness for some polynomially bounded functions qv,QM->'lS'- N, whose 

soundness error is smaller than 2~" for inputs of length n. 

Let V and P be the honest verifier and the honest prover of this proof system, and let V{x) and 
P{x) be the unitary transformations of V and P, respectively, on a given input x. Let {cj,} be a 
polynomial-time preparable set such that, if the input x of length n is in L, 

= trp(P(x)|V'i„it)(V'init|^'^(a:)) 

for the honest prover P. The existence of such a polynomial-time preparable set is ensured by the 
perfect zero-knowledge property. For convenience, we assume that, for every input x of length n, 
the first qjni'iT') qubits of ax correspond to the message qubits of the original proof system, the last 
q\;{n) — qsin) qubits of ax correspond to the private qubits of the verifier (not including the prior- 
entangled part), and the last qubit corresponds to the output qubit of the original proof system. 

Let M, S, and V be quantum registers, each of which consists of (?x(n) qubits, qs{n) qubits, 
and qv{n) — qs{n) qubits respectively. For every input x, we construct a quantum circuit Qx that 
corresponds to the following algorithm: 

1. Prepare ax in the triplet (M, S, V) of the quantum registers. 

2. If one of qubits in the quantum register V contains 1, output {l^<is{n)y 

3. Do one of the following two uniformly at random. 

3.1 Output the qubits in the quantum register S. 

3.2 Apply V{x) on the triplet (M, S, V) of the quantum registers. 

Output //2«-sW if the last qubit in V contains 1, otherwise, output |0«5("))(0«-s(")|. 

Suppose that x is in L. Then ax = tr-p(P(a;)|^init)('!/'init|-PU^)) is satisfied. Note that 
trv^^^^p(P(a;)|V'init)(V'init|-PUa;)) = I/2isH. Furthermore, for the state P(x)|V'init)(V'mit|-P^(a;), the 
verification procedure of V accepts the input with certainty. Therefore, the circuit Qx constructed 
above outputs //2'?'s(") with certainty. 

Now suppose that x is not in L. We claim that the output mixed state p of Qx satisfies \\p — 
7y'29s{")||^^ > c for some positive constant c < 1. Without loss of generality, we assume that ax is of 
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the form a'^ (g) \Oivin)^Q(iv{n)^^ since the step 2 reduces to the state of this form or outputs the state 
farthest away from I /2'i^^^\ 

For the soundness property of the original proof system, for any mixed state ^(8) |0^''^("))(0^^("')| in 
'D{M®V) satisfying tr^^v^CC ® |0«v("))(0«v(")|) = 7/29'S(")^ the verification procedure of V results 
in accept with probability at most 2~"'. 

Therefore, if \\tTM®Vsi(^'x ® |0«i^("))(0«vW|) - //2«5W||^^ > 1/2, then 

WIvmWx ® |0«^("))(0«^('*)|) - 7/2«^W (g) |0«^("))(0«^(")|||tr > 1/2, 

and thus 

||tr^^7^-//2''^(")||tr>l/2. 

Hence the step 3.1 outputs the mixed state p satisfying ||/9 — I /2'^^^^^\\tr > 1/2. 

On the other hand, if M(^v^{(y'x ® |0«vW)(0'3v{«)|) _ //29s(")||^^ < 1/2, we have 

11^^^ |0</v(n)^^0«v(n)| |09v(n)^^0«v(n)|||^^ < 1/2 

for some mixed state ^®|0«vW)(0«vH I inD(X(g)V) satisfying tr^^y^lC® 1 0*^^ ) (0«v W |) = 7/29sH. 

Therefore, the step 3.2 results in rejection with probability at least 1/2 — 2"^""'"'^^ and thus the circuit 
outputs |0'?v(«))(09v(")| with probability at least 1/2 - 2-("+i). 

Putting things together, in the case x is not in L, the circuit Qx outputs the mixed state p satisfying 
Hp — J/2^'5('*)||tr > c for some constant c greater than, say 1/5. 

Now, constructing r copies of Qx to have a circuit Qf"" for appropriately chosen r reduces L to 
the (0,/3)-QSCI problem for arbitrary < /? < 1. □ 

Thus we have the following theorem. 

Theorem 7 {0,P)-QSCI is complete for NIQPZK(1, 1/2) for0<(3<l. 

4.2 NIQPZK(1, l/2)-Protocol for Graph Non- Automorphism 

The Graph Non-Automorphism (GNA) problem defined below is a special case of the graph non- 
isomorphism ( GNI) problem, and is not known in BQP nor in NP. 

Graph Non-Automorphism (GNA) 
Input: A description of a graph G of n vertices. 

Output: Accept if 7r(G) / G for all non-trivial permutations tt over n vertices and reject 
otherwise. 

It is easy to show that any instance of GNA is reduced to an instance of (0, /3)-QSCI, and thus we 
have the following corollary. 

Corollary 8 GNA has a non-interactive quantum perfect zero-knowledge proof system of perfect com- 
pleteness. 

Proof. We assume an appropriate ordering of permutations over n vertices so that each permutation 
can be represented with qc{n) = [logn!] = 0(n log n) qubits. Let vrj be the i-th permutation according 
to this ordering for < i < n! — 1. 

Let "P be a Hilbert space consisting of qc{n) qubits and ^ be a Hilbert space consisting of qg{n) = 
Oiji^) qubits (intuitively, V is for a representation of a permutation and Q is for a representation of 
a graph). 

Given a graph G of n vertices, consider the following quantum circuit Qg behaving as follows. 
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1. Prepare the following quantum state inV^Q: 

^ n!-l 2''£("'-l 

-== J^|i)|0,7r,(G)) + -_ 

1=0 «=?i! 

2. Output the qubits in V. 

If a given graph G has no non-trivial automorphism groups, every TTi{G) is different from each 
other, and thus the output of Qg is the mixed state //2'^'^("). 

On the other hand, if a given graph G has a non-trivial automorphism groups, the contents of 
qubits in Q have at most 2'^^^'^^ — nl/2 < 3/4 • 2'^^^'^^ variations, and the trace- norm between //2''£(") 
and the output of Qg is at least 1/4. 

Thus the constructed quantum circuit Qg is an instance of (0, l/4)-QSDI, which completes the 
proof. □ 

4.3 BQP-Completeness Results 

Theorem 9 {a, (3)-lQSCI and {a, I3)-1QSD are complete for BQP for < a < P < 1. 

Proof. Straightforward and thus omitted. □ 



5 Conjectures 

Conjecture 1 There is a (deterministic) polynomial-time procedure that, on an input ((5,1") where 
Q is a description of a quantum circuit specifying a mixed state p of qi qubits, outputs a description 
of a quantum circuits R (having size polynomial in n and in the size of Q) specifying a mixed state ^ 
of q2 qubits satisfying the following (for a and (3 satisfying an appropriate condition such as < a < 
l/qi < 1 - 1/qi </3<l). 

\\p-I/2'^'\\tr<a ^ ||^-//2'?2||tr<2-", 

Hp - i/2'?Mltr > /? ||c-//2'?2||tr > l-2-^ 

Under the assumption that Conjecture |l] holds, the following two conjectures can be shown in 
similar manners as the proofs of Lemma ^ and Lemma ^. 

Conjecture 2 {a, f5)-QSCI is in NIQSZK for any a and (3 satisfying an appropriate condition such 
as Q < a < 1/qi < 1 — 1/qi < /3 < 1, where qi is the number of output qubits of the quantum circuit 
given as an instance of {a, j3)-QSCI. 



Conjecture 3 For any promise problem L S NIQSZK, there is a polynomial-time deterministic pro- 
cedure that reduces L to the {a, P)-QSCI problem for any a and f3 satisfying an appropriate condition 
such as < a < 1/qi < 1 — l/^i < (3 < 1, where qi is the number of output qubits of the quantum 
circuit given as an instance of {a, f3)-QSCI. 

Thus, under the assumption that Conjecture || holds, the following conjecture is provable. 

Conjecture 4 (a, f3)-QSCI is complete for NIQSZK for any a and (3 satisfying an appropriate con- 
dition such asO < a < 1/qi < 1 — l/gi < (3 < 1, where qi is the number of output qubits of the 
quantum circuit given as an instance of {a, (3)-QSCI. 
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